Linode on Moos3http://blog.guthnur.net/tags/linode/
Recent content in Linode on Moos3Hugo -- gohugo.ioen-usAll rights reserved - 2015Thu, 16 Jun 2016 15:01:46 -0400GRE VPN with Multi-endpoints to single serverhttp://blog.guthnur.net/gre-vpn-multihost-central-server/
Thu, 16 Jun 2016 15:01:46 -0400http://blog.guthnur.net/gre-vpn-multihost-central-server/<p>So this is a continuation of the article I wrote yesterday about AWS VPC VPN&rsquo;s with GRE. So in that article we discussed how to connect to machines point to point. Well what happens when the boss says hey lets does this for 20 machines. Well that solution will not work correctly. So lets get right into it.</p>
<p>First you will need to use some minor changes in syntax for this to work. Lets look at our tunnel setup command. In the last article it looked like this:</p>
<pre><code>ip tunnel add gre-client local &lt;ip&gt; remote &lt;ip&gt; ttl 255
</code></pre>
<p>Its going to change to the following version:</p>
<pre><code>ip tunnel add gre-client local &lt;ip&gt; key &lt;string of numbers&gt;
</code></pre>
<p>So you will see that we are not specifiing a remote endpoint this time or a ttl. You will see we have replaced the ttl with key. key is very important, its basically a authentication method. Next we will use the <code>ip neigh</code> command. This will allow us to tell the machine where to find the next machine in the subnet. It should look like this</p>
<pre><code>ip neigh add 10.10.0.1 lladdr &lt;remote_host_ip&gt; dev gre-vpn
</code></pre>
<p>So in the neighbor command you will replace the <code>&lt;remote_host_ip&gt;</code> with the address from the frist version remote endpoint address.</p>
<p>So all together it will look like this with three hosts</p>
<p><strong>Host A</strong></p>
<pre><code>ip tunnel add gre-vpn local 192.168.10.232 key 123
ip link set gre-vpn up
ip addr add 10.10.0.1/26 broadcast 10.10.0.63 dev gre-vpn
ip neigh add 10.10.0.2 lladdr 192.168.19.24 dev gre-vpn
</code></pre>
<p><strong>Host B</strong></p>
<pre><code>ip tunnel add gre-vpn local 192.168.19.24 key 123
ip link set gre-vpn up
ip addr add 10.10.0.2/26 broadcast 10.10.0.63 dev gre-vpn
ip neigh add 10.10.0.1 lladdr 192.168.10.232 dev gre-vpn
</code></pre>
<p><strong>Host C</strong></p>
<pre><code>ip tunnel add gre-vpn local 192.168.29.23 key 123
ip link set gre-vpn up
ip addr add 10.10.0.3/26 broadcast 10.10.0.63 dev gre-vpn
ip neigh add 10.10.0.1 lladdr 192.168.10.232 dev gre-vpn
</code></pre>
<p>So now all three machine&rsquo;s should be able to talk to each other over the vpn. If you try to ping and can&rsquo;t ping a machine then you most likely have ufw on and just need to edit the <code>/etc/ufw/before.rules</code> file and put this in.</p>
<pre><code># Allow GRE protocol for VPN
-A ufw-before-input -p 47 -j ACCEPT
-A ufw-before-output -p 47 -j ACCEPT
</code></pre>
<p>This set of rules needs to happen before this set in the file:</p>
<pre><code># drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
</code></pre>
<p>Once you have made you changes then disable ufw and then re-enable it. Then your pinging should pick up and work.</p>
<p>If your like me and your Host A is also running the vpn to aws then you will want to add this line on all the hosts that you want to be able to ping in aws.</p>
<pre><code>ip route add 172.16.0.0/16 via 10.10.0.1
</code></pre>
<p>Thats all you should need to all a unlimited number of gre tunnels to your vpn gateway box. Happy Vpn&rsquo;ing.</p>
AWS VPC VPN connection to Linode with GRE Tunnelshttp://blog.guthnur.net/aws-vpc-vpn-linode-gre/
Wed, 15 Jun 2016 15:11:09 -0400http://blog.guthnur.net/aws-vpc-vpn-linode-gre/
<p>So we have started to migrate from <a href="https://www.linode.com">Linode</a> to <a href="https://aws.amazon.com">Amazon Aws</a> at work. We are using a specialized AWS VPC design to make our infrastructure faster and strong then we could at linode. Also more secure. One of the major issues had to overcome is the lack of being able to directly connect aws to linode and linode to aws. So with some magic and special sauce we was able to come up with the following solution.</p>
<p><strong>RACOON + QUAGGA + GRE TUNNELS == FTW</strong></p>
<p>So first you if your on linode you will need to make sure you do the following steps that will not be covered by this tutorial. One is get on the generic kernel and not the custom linode kernels. Second you will need to make sure you setup your VPC VPN configuration. I suggest you follow the following tutorial by <a href="https://medium.com/@silasthomas/aws-vpc-ipsec-site-to-site-vpn-using-a-ubiquiti-edgemax-edgerouter-with-bgp-routing-37abafb950f3#.o1n31p7em">Medium AWS VPC VPN with BGP</a> It&rsquo;s important that you follow the steps and download the generic configuration. You will need this later on in the tutorial. I am also assuming that you have multiple machines in Linode and they are debian/ubuntu based. You will want to spin up a box that will be labeled as your AWS gateway.</p>
<h4 id="racoon-setup">Racoon Setup</h4>
<p>You will need to install racoon first. Using <code>apt-get install ipsec-tools racoon</code> if your runing RHEL based or BSD based you will need to google how to install racoon and ipsec-tools.</p>
<h4 id="quagga-setup">Quagga Setup</h4>
<p>You will need to install quagga first. Using <code>apt-get install quagga</code> if your running RHEL based or BSD based you will need to google how to install quagga.</p>
<h3 id="configuration-of-racoon-and-quagga">Configuration of Racoon and Quagga</h3>
<p>Lucky enough I have written a script to make this a lot easy for you :) The following script will generate the racoon and quagga configuration for you.</p>
<script src="//gist.github.com/moos3/36c5bfc36e084e8c4ca18f44eb6f8292.js"></script>
<p>To run this script you are going to want to make sure you have copied your generic configuration text file to the machine your going to set up as your AWS VPC VPC gateway. Then edit this script and set the following Varaiables</p>
<script src="//gist.github.com/moos3/bffb716f8add396fb6400868b77e754b.js"></script>
<p>Once you have those set run the script like such <code>./vpnsetup.sh aws-configuration.txt</code> Sit back and wait for it to parse and run. To check if it came up look at the following logs /var/log/quagga/bgp.log and if its successful you should see output like so:</p>
<script src="//gist.github.com/moos3/6bd0956e53d19479607825b8984eff35.js"></script>
<p>If you have a node in your VPC you should be able to ping it from this box. Now you have successfully setup BGP and IPSEC on linux :) If you dont see this in your logs, then check the following things your BGP_ID vaule, or that your ipsec has come up. Use this command to check your racoon <code>racoonctl show-sa ipsec</code></p>
<p>###GRE setup and configuration
So the second part of this is to make other nodes talk to the AWS nodes from inside of linode. We will use GRE for this. First thing is to edit <code>/etc/modules</code> and insert ip_gre in the file so the kenerl will load it up. Next you are going to want to pick a subnet size that will fit what your trying to do. I would stick with something not bigger than a /26. For this example we are going to use 10.10.0.0/26 for our GRE network. So in this example we will use two boxes to get started. I recommend that you use the following for box A (aws vpn gateway box)</p>
<p>Remote needs to be set to the ip address of the box on the other end. Local is the local ip of box your adding the tunnel to.</p>
<p>AWS vpn gateway box:</p>
<pre><code>ip tunnel add gre-client mode gre remote 192.168.1.34 local 192.168.0.24 ttl 255
ip link set gre-client up
ip link set gre-client multicast on
ip addr add 10.10.0.1/26 broadcast 10.10.0.63 dev gre-client
</code></pre>
<p>Client box that needs to connect to aws:</p>
<pre><code>ip tunnel add gre-vpn remote 192.168.0.24 local 192.168.1.34 ttl 255
ip link set gre-vpn up
ip link set gre-vpn multicast on
ip addr add 10.10.0.2/27 broadcast 10.10.0.63 dev gre-vpn
</code></pre>
<p>Next you will need to add route on the client side that tells it how to route traffic for your aws network to the aws vpn gateway.</p>
<pre><code>ip route add 172.16.0.0/16 via 10.10.0.1
</code></pre>
<p>Then on the AWS vpn gateway box we will need to update iptables with a SNAT rule. That will look like this</p>
<pre><code>iptables -t nat -A POSTROUTING --src 10.10.0.0/26 --dst 172.16.0.0/16 -j SNAT --to-source 169.254.44.42
</code></pre>
<p>The important part here is that the dst is set to your aws vpc network and that to-source is the box which is running the bgp service. You can find this ip address in the logs for quagga looking for Zebra rcvd command.</p>
<pre><code>2016/06/15 17:13:37 BGP: Zebra rcvd: interface eth0 address add 169.254.44.234/30
2016/06/15 17:13:37 BGP: Zebra rcvd: interface eth0 address add 169.254.44.42/30
</code></pre>
<p>Now you should be able to ping or traceroute to your AWS nodes in the vpc. If you can do this then your golden. Some things you might try if this doesn&rsquo;t work. One add the following iptables rule in <code>iptables -A FORWARD -j LOG</code> and this will log all the forwarded traffic. Two make sure that forwarding is on in sysctl.conf on both the gateway and client.</p>
<p>Happy BGP&rsquo;ing and GRE routing around a limitation on Linode. You could use this in many applications not just linode. Also a good read on GRE see <a href="http://bjornruud.net/2011/02/gre-tunnel-with-multicast-support.html">GRE Tutorial</a>.</p>